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(54) System and method for managing data privacy in a database management system including 
a dependently connected privacy data mart 



(57) A system for managing data privacy comprises 
a database management system for storing data from a 
plurality of consumer database tables, with irrevocable 
logging of all access, whether granted or denied, to the 
data contents stored in the consumer data tables; a pri- 
vacy metadata system that administers and records all 
data, users and usage of data that is registered as con- 
taining privacy elements; and a replication system that 
feeds the consumer access system with personal con- 
sumer data, maintains integrity of the consumer data 



and provides changes and corrections back to the orig- 
inating database management system through their 
own integrity filters as well as a means of storage and 
the mechanism to provide input for changes in the per- 
sonal data or privacy preferences. The system further 
includes means for managing consumer notification, 
access, correction and change of preferences for pri- 
vacy or data protection in the privacy metadata system. 
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Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

[0001 ] The present invention relates to systems and 
methods of data warehousing and analysis, and in par- 
ticular to a system and method for providing consumer 
notification, access, data correction and change of pref- 
erences for data privacy in a data warehousing system 
that includes a physically separate but dependentty con- 
nected data mart. 

2. Description of the Related Art 

[0002] Database management systems are used to 
collect, store, disseminate, and analyze data. These 
large-scale integrated database management systems 
provide an efficient, consistent, and secure data ware- 
housing capability for storing, retrieving, and analyzing 
vast amounts of data. Met a Data Services are a com- 
prehensive solution for managing metadata in complex 
data warehouse environments. Meta Data Services pro- 
vides a solution for locating, consolidating, managing 
and navigating warehouse metadata. It also allows for 
setting aside an area from where all system aspects of 
privacy are registered, administered and logged in an 
auditable format. The ability to collect, analyze, and 
manage massive amounts of information through meta- 
data has become a virtual necessity in business today, 
particularly when multiple hardware systems are 
involved. 

[0003] The information stored by these data ware- 
houses can come from a variety of sources. One impor- 
tant data warehousing application involves the 
collection and analysis of information collected in the 
course of commercial transactions between retailer out- 
lets and retail consumers. For example, when an indi- 
vidual uses a credit card to purchase an item at a retail 
store, the identity of the customer, the item purchased, 
the purchase amount and other similar information are 
collected. Traditionally, this information is used by the 
retailer to determine if the transaction should be com- 
pleted, and to control product inventory. Such data can 
also be used to determine temporal and geographical 
purchasing trends. 

[0004] The data collected during such transactions 
is also useful in other applications. For example, infor- 
mation regarding a particular transaction can be corre- 
lated to personal information about the consumer (age, 
occupation, residential area, income, etc.) to generate 
statistical information. In some cases, this personal 
information can be broadly classified into two groups: 
information that reveals the identity of the consumer, 
and information that does not. Information that does not 
reveal the identity of the consumer is useful because it 
can be used to generate information about the purchas- 



ing proclivities of consumers with similar personal char- 
acteristics. Personal information that reveals the identity 
of the consumer can be used for a more focused and 
personalized marketing approach in which the purchas- 

5 ing habits of each individual consumer differentiates the 
approach and brings competitive advantage. 
[0005] Unfortunately, while the collection and analy- 
sis of such data can be of great public benefit, it can 
also be the subject of considerable abuse. It can dis- 

10 courage the use of emerging technology, such as cash 
cards and loyalty card programs, and foster continuation 
of more conservative payment methods such as cash 
and checks. In fact, public concern over privacy is 
believed to be a factor holding back the anticipated 

is explosive growth in web commerce. 

[0006] For all of these reasons, when personal 
information is stored in data warehouses, it is incum- 
bent on those that process and control this data to pro- 
tect the data subjects from such abuse. As more and 

20 more data is collected in this, the computer age, the 
rights of individuals regarding the use of data pertaining 
to them have become of greater importance. What is 
needed is a system and method which provides all the 
advantages of a complete data warehousing system, 

25 while addressing the privacy concerns of the consumer. 
Consumers should have insight in what data about 
them is subject to collection and use. 
[0007] Therefore, it is the responsibility of those that 
process and control personal data to provide accurate 

30 and full disclosure of what data is collected and proc- 
essed, for what purposes, and under what limits of use. 
This includes data which the data controller has not col- 
lected directly from the consumer. It is the obligation of 
a data controller to provide access to the consumer of 

35 data which are being processed, in order to notify the 
consumer of the existence of a processing operation 
and, where data are collected from him, accurate and 
full information to verify in particular the accuracy of the 
data and the implied or explicitly stated preferences of 

40 privacy or data protection that has been agreed 
between the data controller and the data subject and 
work directly with the consumer to negotiate privacy 
preferences. 

45 SUMMARY OF THE INVENTION 

[0008] To address the requirements described 
above, the present invention discloses a method and 
apparatus for managing consumer notification and 

so access and a means of correction and change of prefer- 
ences for privacy or data protection in a data warehous- 
ing system including a physically separate but 
dependently connected data mart. 
[0009] The apparatus comprises a database man- 

55 agement system, for storing data from a plurality of con- 
sumer database tables, with irrevocable logging of all 
access, whether granted or denied, to the data contents 
stored in the consumer data tables, a privacy metadata 
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system that administers and records all data, users and 
usage of data that is registered as containing privacy 
elements, a replication system that feeds the consumer 
access system with personal consumer data, maintains 
integrity of the consumer data and provides changes 5 
and corrections back to the originating database man- 
agement system through their own integrity filters as 
well as a means of storage and the mechanism to pro- 
vide input for changes in the personal data or privacy 
preferences. 70 
[0010] The method is supported by a privacy 
administrators utility and includes procedures for migra- 
tion of consumer data from any state or format into a 
consistent and presentable state in the consumer 
access dependent data mart by establishing a database 75 
logical data model and physical database design in the 
data mart with all the tables, views and macros needed 
to reflect all aspects of personal data and its identifiers, 
dependently coupled for integrity to the base consumer 
database management system as a direct reflection of 20 
the tables in that system, extending database tables to 
store and retrieve privacy preference parameters for the 
data stored in the database table, the privacy parame- 
ters collectively reflected in a plurality of database views 
associated with the data, accepting personal data and 25 
privacy parameters from the data source, possibly 
including sources external to the data warehouse, stor- 
ing the privacy parameters in the columns associated 
with the data, providing notification of and access to the 
data in the database table to a requesting consumer 30 
solely through a privacy metadata services interface in 
accordance with the personal privacy parameters. 
[0011] Where possible the data models will be 
adapted to accepted privacy standards, like P3R to 
reflect the data types and privacy sensitivity levels nec- 35 
essary and the consumer privacy preferences, provide 
for an adapted system for loading, formatting and main- 
taining data through Teradata utilities provide a system 
for returning changes back to the source system and a 
utility that allows a privacy administrator or data protec- 40 
tion officer to manage the consumer access system to 
legal specifications. The program storage device com- 
prises a medium for storing instructions performing the 
method steps outlined above. 

45 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0012] An embodiment of the present invention will 
now be described, by way of example, with reference to 
the accompanying drawings.in which: so 



tive example of the structure of privacy-extended 
customer tables stored in the data management 
system and the database views that provide virtual 
separation between different user types and the 
actual data; 

Figures 4A and 4B illustrate a data warehouse with 
a physically separate but dependentfy connected, 
privacy dependent data mart and the functions 
associated with the data mart; 
Figure 5 is a block diagram illustrating the functions 
of the privacy administration utility that supports the 
privacy dependent data mart; 
Rgure 6 is a block diagrams illustrating the func- 
tions of the privacy consumer access module and 
utility that supports the privacy dependent data 
mart; 

Rgure 7 is a flow chart illustrating the total method- 
ology for building privacy into a data warehouse or 
a data mart consisting of a Privacy Planning phase, 
a Design & Implementation phase and a Privacy 
Usage, Support & Enhancement phase; and 
Figures 8A and 8B provide a graphical representa- 
tion of the migration methodology that supports the 
implementation of the consumer access dependent 
data mart. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0013] In the following description, reference is 
made to the accompanying drawings which form a part 
hereof, and which is shown, by way of illustration, sev- 
eral embodiments of the present invention. It is under- 
stood that other embodiments may be utilized and 
structural changes may be made without departing from 
the scope of the present invention. 
[0014] Figure 1 is a system block diagram present- 
ing an overview of a data warehousing system 1 00. The 
system comprises secure data warehouse 1 02 having a 
database management system 104 storing one or more 
extended databases 106 therein. 
[001 5] One important capability of a database man- 
agement system is the ability to define virtual table and 
save that definition in the database as metadata with a 
user-defined name. The object formed by this operation 
is known as a dataview. As a virtual table, a dataview is 
not physically materialized anywhere in the database 
until it is needed. All accesses to data, other than for 
data administrative purposes, would be accomplished 
through dataviews. Various dataviews exist for pur- 
poses of implementing privacy rules. Metadata about 
the privacy dataview (including the dataview name, 
names and data types of the dataview columns, and the 
method by which the rows are to be derived) is stored 
persistently in the databases metadata, but the actual 
data presented by the view is not physically stored any- 
where in association with the derived table. Instead, the 
data itself is stored in a persistent base table, and the 



Figure 1 is a system block diagram of an exemplary 
embodiment of a data warehouse system; 
Figures 2A and 2B illustrate a graphical representa- 
tion of the privacy logical data model that supports 55 
the implementation of both the data warehouse and 
a dependent data mart; 

Figure 3 is a block diagram presenting an illustra- 
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view's rows are derived from that base table. Although 
the dataview is a virtual table, operations can be per- 
formed against dataviews just as they can be performed 
against the base tables. 

[0016] The secure data warehouse 102 further 
comprises a suite of privacy metadata dataviews 108 
through which all data in the extended database 1 06 are 
presented.. Data within the extended database 106 can 
be viewed, processed, or altered only through the data- 
views in this suite. The schema and logical model of the 
extended database and dataviews is set forth more fully 
herein with respect to Figure 2. 
[0017] Virtually all access to the data stored in the 
extended database 1 06 is provided solely through the 
dataview suite 108. Thus, retailer applications 110 and 
third party applications 112 have access only to such 
data as permitted by the database view provided. In one 
embodiment, provision is made to permit override of the 
customer's privacy preferences. However, in such cir- 
cumstances, data describing the nature of the override 
is written to the database for retrieval by the audit mod- 
ule 118, so that the override cannot occur surrepti- 
tiously. Further, overrides may be monitored by the 
privacy metadata monitoring extensions 1 14 to provide 
an alert to the consumer when such overrides occur 
116. 

[0018] The limiting access to the data stored in the 
extended database 106 to access provided by the pri- 
vacy dataview suite 108 for purposes of implementing 
privacy rules provides the capability to make the per- 
sonal data anonymous (through the anonymizing view 
described herein), to restrict access to opted-out col- 
umns, which can apply to all personal data, separate 
categories of personal data, or individual data columns, 
and to exclude entire rows (customer records) for opted- 
out purposes - a row is excluded if any of the applicable 
opt-out flags is on for the customer in question. 
[0019] Using a client interface module 122 that 
communicates with the dataviews 108, a client 124 can 
access, control, and manage the data collected from the 
client 1 24. This data control and management can be 
accomplished using a wide variety of communication 
media 140, including the Internet 126 (via a suitable 
browser plug-in 125, a modem 130, voice telephone 
communications 132, or a kiosk 134 or other device at 
the point of sale. To facilitate such communications, the 
kiosk or other device at the point of sale, can issue a 
smartcard 136 or a loyalty card 138. The kiosk/pos 
device 134 can accept consumer input regarding pri- 
vacy preferences, and issue a smartcard 136 or loyalty 
card 138 storing information regarding these prefer- 
ences. Similarly, when using the kiosk/pos device 1 34 
and the smartcard 136 or loyalty card 138, the con- 
sumer may update or change preferences as desired. In 
cases where the loyalty card 138 is a simple read only 
device (such as a bar-coded attachment to a key ring), 
the kiosk/pos device 134 can accept issue replacement 
cards with the updated information as necessary. Trans- 



actions using the loyalty card 138 or smartcard 136 are 
select ably encrypted. Either card may interact directly 
with the server or through a plug-in to implement the 
security rules selected. 

5 [0020] Through this interface, the consumer can 
specify data sharing and retention preferences. These 
allow the consumer to specify when and under what cir- 
cumstances personal information may be retained or 
shared with others. For example, the consumer may 

w permit such data retention as a part of a loyalty card 
program, or specify that use of the data is limited to par- 
ticular uses. Further, the consumer may specify under 
what circumstances the data may be sold outright, used 
for statistical analysis purposes, or used for elective 

15 marketing programs. 

[0021 ] The data warehousing system 1 00 also per- 
mits use of anonymous data within the data warehouse 
1 02 via a privacy service 1 50. When the user desires 
anonymous data, the transaction is routed to the privacy 

20 service 150. The privacy service 150 accesses a pri- 
vacy rule database 1 52 and other security information 
154 and uses the privacy rule and security information 
to remove all information from which the identity of the 
consumer can be determined. The cleansed transaction 

25 information response is then forwarded to the anonym- 
ity protection interface module 160 in the secure data 
warehouse. Communications with the secure data 
warehouse 1 02 use a proxy user identification, which is 
created by the privacy service 150 from the customer's 

30 username or other identifying information. If the cus- 
tomer does not require anonymous data, the transac- 
tion is provided directly to the retailer who may store the 
transaction information response in the extended data- 
base. 

35 [0022] Since it alone provides access to data within 
the extended database, the dataview suite 1 08 also pro- 
vides a convenient and comprehensive means for audit- 
ing the security of the secure data warehouse 1 02. 
[0023] The secure data warehouse 1 02 also com- 

40 prises metadata monitoring extension 114. This exten- 
sion 114 allows the customer to generate a rule to 
monitor the use of personal data, and to transmit an 
alert 116 or callback if a metadata definition change 
occurs. The customer can control the metadata moni- 

45 toring extension 1 14 to trigger an alert when the con- 
sumer's personal information is read from the extended 
database 106, when personal information is written to 
the extended database 106, when opt-out delimiters 
stored in the extended database are changed, or when 

so a table or a dataview is accessed. The metadata moni- 
toring extension 114 also records data source informa- 
tion, so customers can determine the source of the data 
stored in the secure data warehouse 102. The data 
source may be the customer, or may be a third party 

55 intermediary source. This feature is particularly useful 
when the consumer would like to not only correct erro- 
neous information, but to determine the source of the 
erroneous information so the error will not be replicated 
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in the same database or elsewhere.. 
[0024] The metadata monitoring extension 1 1 4 can 
also be used to support auditing functions by tracking 
reads or writes from the extended database 106 as well 
as the changes to the dataview suite 1 08. s 
[0025] The described system can be implemented 
in a computer comprising a processor and a memory, 
such as a random access memory (RAM). Such com- 
puter is typically operativety coupled to a display, which 
presents images such as windows to the user on a 10 
graphical user interface. The computer may be coupled 
to other devices, such as a keyboard, a mouse device, 
a printer, etc. Of course, those skilled in the art will rec- 
ognize that any combination of the above components, 
or any number of different components, peripherals, 75 
and other devices, may be used with the computer. 
[0026] Generally, the computer operates under con- 
trol of an operating system stored in the memory, and 
interfaces with the user to accept inputs and commands 
and to present results through a graphical user interface 20 
(GUI) module. Although the GUI module is typically a 
separate module, the instructions performing the GUI 
functions can be resident or distributed in the operating 
system, an application program, or implemented with 
special purpose memory and processors. The compu- 25 
ter may also implement a compiler that allows an appli- 
cation program written in a programming language such 
as COBOL, C++, FORTRAN, or other language to be 
translated into processor-readable code. After comple- 
tion, the application accesses and manipulates data 30 
stored in the memory of the computer using the relation- 
ships and logic that was generated using the compiler. 
[0027] In one embodiment, instructions implement- 
ing the operating system, the computer program, and 
the compiler are tangibly embodied in a computer-read- 35 
able medium, e.g., data storage device 170, which 
could include one or more fixed or removable data stor- 
age devices, such as a zip drive, floppy disc drive, hard 
drive, CD-ROM drive, tape drive, etc. Further, the oper- 
ating system and the computer program are comprised 40 
of instructions which, when read and executed by the 
computer, causes the computer to perform the steps 
necessary to implement and/or use the present inven- 
tion. Computer program and/or operating instructions 
may also be tangibly embodied in memory and/or data 45 
communications devices, thereby making a computer 
program product or article of manufacture according to 
the invention. As such, the terms "program storage 
device, "article of manufacture" and "computer program 
product" as used herein are intended to encompass a so 
computer program accessible from any computer read- 
able device or media. 

[0028] Those skilled in the art will recognize many 
modifications may be made to this configuration without 
departing from the scope of the present invention. For 55 
example, those skilled in the art will recognize that any 
combination of the above components, or any number 
of different components, peripherals, and other devices, 



may be used with the present invention. 
[0029] Figures 2A and 2B provide a diagram show- 
ing the logical model of the secure data warehouse 102 
and the dataview suite 108 in greater detail. The 
extended database 106 comprises a customer table 
200, which is segmented into categories of personal 
data: such as phone 218, address 216, demographic 
202, employer 204, financial account 210, navigation 
history 214, transaction history 206, and online contact 
208. Each personal data category also has an associ- 
ated consent table: such as phone consent 238, 
address consent 234, demographic consent 230, 
employer consent 220, financial consent 228, naviga- 
tion consent 232, transaction consent 226, and online 
contact consent 224. The consent tables specify data 
reflecting the privacy preferences, or "opt-outs", for the 
accompanying data. In the disclosed embodiment, 
these privacy preferences include "opt-outs" for (1) 
direct marketing 240, (2) disclosure of personal data 
along with information identifying the consumer 242, (3) 
anonymous disclosure of personal data 242, (4) disclo- 
sure of personal data for purposes of making automated 
decisions 244, and (5) disclosure or use of sensitive 
data 246. Start and end dates are also maintained 
within the consent tables for historical tracking of con- 
sumer consent options. 

[0030] In the logical data model, the individual con- 
sent tables allow very fine-grained selection by the con- 
sumer of privacy preferences. For example, the 
consumer could opt-in to third party disclosure of her 
phone number, but opt-out to third party disclosure of 
her address. The model also allows privacy preferences 
that apply across the entire consumer record, store in 
the privacy consent codes table 236. The automated 
decision code 244 allows consumers to indicate 
whether their data could be used to perform automated 
processing. The sensitive data code 246 allows con- 
sumers to permit dissemination of sensitive data. 
[0031] In one embodiment, an NCR Corporation 
TERADATA database management system is utilized to 
implement the foregoing logical model. This implemen- 
tation has several advantages. 
[0032] First, the TERADATA database management 
system's ability to store and handle large amounts of 
data eases the construction of the many different views 
and allows the secure data warehousing system 100 to 
utilize a logical data model is in or close to the third nor- 
mal form. 

[0033] Second, unlike systems which execute SQL 
queries as a series of selections to narrow the data 
down to the dataview subset, the TERADATA database 
management system rewrites dataview-based queries 
to generate the SQL that selects the necessary col- 
umns directly from the appropriate base tables. While 
other views materialize entire tables before narrowing 
down the data to the view subset, TERADATA generates 
SQL that selectively pulls appropriate columns and 
rows into the result table. This method is a particularly 
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advantageous in implementing the foregoing logical 
model. 

[0034] Third, the foregoing logical model generally 
results in data views, which include complex queries and 
wide SQL expressions. The TERADATA database man- 
agement system is particularly effective at optimizing 
such queries and SQL expressions. 
[0035] Figure 3 illustrates a number of dataviews 
that are provided in the dataview suite 1 08. These data- 
views include a standard view 360, a privileged view 
362, an anonymizing view 364, and an opt-out view 366. 
These views limit visibility into the data in the customer 
table 106 in accordance with the values placed in the 
data control columns. 

[0036] The standard view 360 will not present per- 
sonal data unless either the flag in column (indicating 
that the personal information and identifying information 
can be disseminated or indicating that personal infor- 
mation can only be disseminated anonymously) is acti- 
vated. Hence, the standard view 360 selectively masks 
personal data from view unless the consumer has set 
the appropriate flags to the proper value. 
[0037] Scaleable data warehouse (SDW) customer 
Data Base Administrator's (DBA) 151 set up views into 
customer tables (any tables containing personal infor- 
mation about their customers), controlled by the Data 
Protection Offices 152, such that, for routine users, all 
columns of personal information are hidden. 
[0038] The client interface module 122, which is 
used to view, specify, and change consumer privacy 
preferences, is a privileged application. Appropriate 
security measures are undertaken to assure that the 
privileged applications are suitably identified as such, 
and to a prevent privileged view access by any entity 
that is not so authorized. 

[0039] Certain SDW applications ("Class B") may 
perform analysis on personal data, in order to gain 
insight into customer behavior, e.g. to identify trends or 
patterns. Such applications may be driven by end-users 
(knowledge workers or "power analysts") performing 
"ad hoc" queries, typically using either custom-built soft- 
ware or standard query or OLAP Tools, where the end- 
user spots the patterns. They may also involve the use 
of data mining tools, where statistical or machine learn- 
ing algorithms, in conjunction with the analyst, discover 
patterns and from them build predictive models. 
[0040] Figures 4A and 4B illustrate a data ware- 
house 400 with a physically separate but dependency 
connected, privacy dependent data mart 500 and the 
functions associated with the data mart. The data ware- 
house includes a data base management system 404 
storing one or more database tables 406 containing per- 
sonal data 406. Communication between the data ware- 
house 400 and the privacy dependent data mart is 
provided through audit 418, metadata system 414, and 
replication 416 modules contained within data ware- 
house 400 and corresponding privacy audit 518, privacy 
metadata system 514, and replication 516 modules 



contained within privacy dependent data mart 500. In 
this embodiment, each class of functionality is applied 
separately to the data (e.g. filtering the change data), 
including specific control functions (e.g. providing audit 

5 reports or replicating data). For example, the data ware- 
house 400 contains the only version of all consumer 
information, all changes to the structure and use are 
fully audited and all input to the data contents or con- 
sumer preferences are filtered and limited for integrity. 

to These limitations can be selected by entering the proper 
combination of integrity and preference. The present 
invention permits the expansion of the above described 
privacy preference paradigm to a similar system of mul- 
tiple functions of consumer information and prefer- 

75 ences, based upon the same detail of customer 
preferences. 

[0041] In the privacy dependent data mart embodi- 
ment, the security and privacy protection features of the 
extended database are further enhanced with the use of 

20 privacy access logging 570 that captures all access 
attempts to the customer data, whether granted or 
denied, and the consumer change data 580 as provided 
by the customer that examines their own data and pref- 
erences. This may be used by the system on-line or in 

25 batch mode to feed the authorized changes back to the 
source database through integrity filters. 
. [0042] In one embodiment, external data in various 
formats 592, 594 and 596 might be allowed to enrich the 
consumer data 590 through an additional privacy data 

30 source filter, and selectively applied to the consumer 
personal data. This technique allows external custom- 
ers data to be automatically flagged (e.g. for authentica- 
tion purposes), but could allow for exclusion of 
processing for return of change data back to the data 

35 warehouse. 

[0043] Figure 5 is a block diagram illustrating the 
functions of the privacy administration utility 540 that 
supports the privacy dependent data mart. 
[0044] Figure 6 is a block diagram illustrating the 

40 functions of the privacy consumer access module 530 
that supports the privacy dependent data mart 
[0045] Figure 7 is a flow chart illustrating the total 
methodology for building privacy into a data warehouse 
or a data mart consisting of a Solution Planning phase, 

45 a Design and Implementation phase and a Solution 
Usage, Support and Enhancement phase. The func- 
tions of the Privacy Discovery service 61 0 are to provide 
education, determine the business requirements, and 
set the scope to be accepted by the business. Privacy 

so Assessment service 620 is based on the outcome of 
Privacy Discovery and executes a GAP analysis against 
the functional, data, and technical requirements for Pri- 
vacy and uses these evaluations as input for the Busi- 
ness Impact Assessment which quantifies the impact 

55 that implementation choices will bring to the current 
business in terms of investment and revenue opportu- 
nity, positive or negative. Privacy Assessment also cre- 
ates an implementation blueprint of the changes 
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needed in infrastructure and business practices to ena- 
ble a data warehouse for Privacy. This blueprint feeds 
into the Architecture Design 640 that lays the foundation 
for choices for change in Infrastructure, Database Man- 
agement, Tools and Utilities all built around an inte- 5 
grated Metadata system. After completion of an 
implementation of Privacy in a data warehouse environ- 
ment a Privacy Review 690 is recommended to evaluate 
whether the implementation goals for infrastructure 
change has been met and what Data Warehouse Con- jo 
tributions have been achieved. This service also pre- 
pares for auditability by EDP Auditors or Privacy or Data 
Protection regulators. 

[0046] Figure 8 is a flow chart illustrating the spe- 
cific methodology for building the Consumer Access 75 
Dependent Data Mart and migrating consumer data and 
ifs accompanying profile for privacy preferences from a 
data warehouse and other data sources to the data 
mart. 

[0047] Project Management - Project Manage- 20 
ment is critical to the success of Dependent Data Mart 
Migration to meet obligations to the customer and for 
the elimination of 'scope creep', a project plan is 
required for all implementations. A Project Plan governs 
the Design Phase 700 with Logical Data Modeling 701 , 25 
Architecture Design 702 (Source data), 703 (Target 
Data) and 704 (Data Mart), Physical Design 705 (Busi- 
ness Profile) and 706 (Consumer Profile) and Applica- 
tion Design 707. Each step in the Design Phase 
contains Education, Interview and Workshop elements 30 
that accompany the tasks necessary to complete the 
input into the next phase. Also, Logical Data Modeling 
701 feeds information into Architecture Design 702, 
Physical Design 703 and Application Design 704. 
[0046] Project Management also passes the plan 35 
from the Design steps to the Implementation services 
for Data Sourcing 720, Data Loading and Management 
730, Information Access 740, Changed Data Return 
750 and Data Mart Management 760. The NCR project 
management methodology is the single point of contact 40 
with the customer. Project managers are responsible for 
all aspects of the Dependent Data Mart program. 
[0049] Logical Data Modeling - This service pro- 
duces the attributed logical data model and/or star 
schema for the initial implementation of the Dependent 45 
Data Mart Activities in this service include confirmation 
of requirements and generation of the data model show- 
ing relationships and attributes. The data model is cru- 
cial to a Dependent Data Mart solution to ensure that 
the proper business focus and flexibility are maintained so 
in the solution. The data model is not specific to a plat- 
form or database and is separate from any physical 
dependencies. The data model for the Dependent Data 
Mart may be either a logical data model derived from 
the enterprise data warehouse, or a star schema data 55 
model. 

[0050] Architecture Design - This service pro- 
duces the infrastructure for the initial implementation of 



the Dependent Data Mart. Activities in this service 
include confirmation of requirements and generation of 
the source systems that feed the Dependent Data Mart, 
the Dependent Data Mart itself and the architecture for 
the return of changed data back to the data warehouse. 
The architecture model is crucial to a Dependent Data 
Mart solution to ensure that the proper technical focus 
and flexibility are maintained in the solution. The archi- 
tecture model is specific to a platform and database and 
is based on its physical dependencies. 
[0051] Physical Database Design - This service 
provides the client a physical database design opti- 
mized for dependent data mart. The primary activities of 
this service are: translating the data model to a physical 
database design, database construction, design optimi- 
zation, and functional testing of the constructed data- 
base. 

[0052] Application Design (Query Development) 

- This service provides the design and implementation 
of the query interface for the Dependent Data Mart 
Solution. Utilizing a GUI based tool, queries to answers 
of agreed upon business questions will be developed as 
part of the Dependent Data Mart Program. The Applica- 
tion Design service develops applications that enable 
review and input for change based on access to detail 
consumer data, data summaries, and staged queries. 
[0053] Data Transformation and Replication - 
This service designs the process and develops the utili- 
ties and programming that allow the dependent data 
mart database to be initially loaded and maintained. 
The service locates, transforms, replications, trans- 
ports, and loads data onto the target platform. Included 
is the operational planning that allows the reloading or 
incremental loading of the dependent data mart on a 
periodic basis. Data transformation and replication for 
the Dependent Data Mart Program will normally be exe- 
cuted using Teradata utilities. 

[0054] Data Mart Management - This service 
encompasses the backup, archive, restore, and recov- 
ery strategy for the dependent data mart. This service 
does not include taking the dependent data mart into 
production, this is the responsibility of the Customer. 
[0055] Documentation - This service encom- 
passes the Integration Test, Meta Data Registration, 
Audit Testing and Customer sign-off. Customer Educa- 
tion is key to any data warehouse or dependent data 
mart success and is included as part of the dependent 
data mart services program. Other, standard Data 
Warehouse Implementation services elements are: 

• Logical Data Model 

• Physical Data Base Design 

• Extract, Transfer, Move and Load scripts 

• System Management Integration 

• Audit and Control Plan 

[0056] There are many types and uses of metadata 
including: Business rules and definitions, Directory of 
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warehouse users, developers, users, etc., Database 
schema's and views, Transformational mappings, 
Source database logical models, Target warehouse 
models including data marts, Refresh frequency of 
data, Security, Reports, Performance metrics, and 
Computing system components. Thus, the content of 
metadata is evolved during Privacy Implementation 
from merely a logical model of the source and target 
databases to full integration with business rules to infor- 
mation about information system resources. 
[0057] The foregoing description of the various 
embodiments of the invention has been presented for 
the purposes of illustration and description. It is not 
intended to be exhaustive or to limit the invention to the 
precise form disclosed. Many alternatives, modifica- 
tions, and variations will be apparent to those skilled in 
the art of the above teaching. Accordingly, this invention 
is intended to embrace all alternatives, modifications, 
and variations that have been discussed herein, and 
others that fall within the scope of the invention. 

Claims 



4. A data warehousing, management, and privacy 
control system as claimed in any preceding claim, 
wherein: 

5 said replication system provides changes and 

corrections to said customer data from said pri- 
vacy metadata system to said database man- 
agement system. 

to 5. A data warehousing, management, and privacy 
control system as claimed in any preceding claim, 
wherein: 

said database management system interface 
75 provides access to said customer data and to 

said customer personal data in accordance 
with privacy parameters stored in said data- 
base management system. 

20 6. A data warehousing, management, and privacy 
control system as claimed in any preceeding claim, 
further comprising: 



1. A data warehousing, management, and privacy 
control system, comprising: 25 

a database management system, for storing 
and retrieving customer data; 
a privacy metadata system that administers 
and records all customer personal data, users 30 
of said customer personal data, and usage of 
said customer personal data; 
a replication system providing communication 
between said database management system 
and said privacy metadata system; and 35 
a database management system interface 
operatively coupled to the database manage- 
ment system and controlling access to said 
customer data and to said customer personal 
data through said replication system. 40 



a privacy access logging system that captures 
and records all access attempts to said cus- 
tomer personal data. 



2. A data warehousing, management, and privacy 
control system as claimed in claim 1 , wherein: 



said replication system provides customer per- 45 
sonal data from said database management 
system interface to said privacy metadata sys- 
tem. 



3. A data warehousing, management, and privacy so 
control system as claimed in claim 1 or claim 2, fur- 
ther comprising: 



a customer access module operatively coupled 
to the privacy metadata system and providing a ss 
customer with means to access data, correct 
data and change of preferences to customer 
personal data related to said customer. 
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